I. Introduction

InnoGames GmbH (“InnoGames”, “We”) is the data controller in respect of your personal data and is committed to protecting and respecting your privacy and personal integrity when you are using the mobile apps and online games as well as portals and websites offered by us (together “Services”). This Privacy Policy will help you understand what personal data we collect about you, why it is collected and how it is used by us. It will clarify how you can exer-cise your rights when you trust us to handle your personal data for you. We ask that you take a moment to read this Privacy Policy carefully and familiarize yourself with its content. If you have any questions, you are welcome to contact us by using the contact information provided at the end of this Privacy Policy.

Please note that our Services may contain links to websites that can be held by partner com-panies. If you follow a link to any of these websites or use these third-party services, you should be aware that they have their own privacy policies and that we do not assume any liability for their processing of your personal data. Therefore, please make sure to read their privacy policies before providing your personal data to them.

We offer our Services only to players who are at least 16 years old. Hence, we do not knowingly market to or solicit personal data from persons under the age of 16.

II. Name and address of the controller

The controller in line with the General Data Protection Regulation and other national data protection laws of the member states, as well as other legal data protection provisions, is:

IV. General information on data processing

1. Scope of personal data processing

In general, we record only the personal data which you disclose when using Services as part of your login or registration and possibly during use of fee-based services. Personal data are those which contain information about personal or factual circumstances. When logging in and registering as a user on our website, you only have to provide an email address and, if applicable, a username and password. When registering for certain Services, email addresses are not collected during registration but only later during the use of the Service. The password is stored in hasehd form, which never allows for an inference of the actual password.

In the context of implementing the concluded user contract, particularly in the context of fee-based Services you have chosen, the disclosure of further data, such as the full name, address, account details, credit card numbers, etc., may be required. It is sometimes also necessary to request personal information such as your name, address, email address, and telephone number for the purposes of processing your inquiries or providing you with support. InnoGames will handle these data confidentially and in compliance with the legal data protection provisions. In principle, InnoGames will not disclose such information to third parties without your permission, unless this is required for the implementation and execution of the contract, for processing your request or for your support or in the case of a legal permit.

2. Legal basis for personal data processing

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6(1)(a) of EU General Data Protection Regulation (GDPR) serves as the legal basis for personal data processing.

In personal data processing required for the fulfilment of a contract of which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to the processing required in order to carry out pre-contractual actions.

Insofar as personal data processing is required for the fulfilment of a legal obligation which our company is subject to, Art. 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require personal data processing, Art. 6(1)(d) GDPR serves as the legal basis.

If processing is required to protect the legitimate interests of our company or of a third party, and if the interests, fundamental rights, and freedoms of the data subject do not prevail over the interests mentioned first, Art. 6(1)(f) serves as the legal basis for processing.

3. Deletion of data and duration of storage

The personal data of the data subject are deleted or blocked as soon as the purpose of storage no longer exists. In addition, such storage may occur if this is provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The blocking or deletion of data also occurs when the storage period prescribed in the abovementioned regulations lapses, unless further storage of the data is required for conclusion or fulfilment of a contract.

4. Data security

InnoGames makes reasonable efforts to prevent unauthorised access to your personal data as well as unauthorised use or falsification of these data and to minimise the corresponding risks. However, the provision of personal data, whether it be in person, over the phone or over the Internet, always involves risks and no technological system is completely free of the possibility of being manipulated or sabotaged.

InnoGames processes the information collected from you in accordance with German and European data protection law. All employees are obliged to comply with data secrecy and data protection provisions and are instructed in this regard. Your data are transmitted in an en-crypted form using the SSL method.

V. Provision of our services and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data are collected here:

Internet protocol

IP address

URL of the referring website from which the file was requested

Date and time of access

Browser type and operating system

the page visited by you

amount of transferred data

access status (file transferred, file not found etc.),

duration and frequency of use

The data is also stored in the log files of our system.

When accessing mobile apps, the following data and information are collected:

Internet protocol

IP address

date and time of access

device type and operating system

amount of transferred data

access status (file transferred, file not found etc.),

duration and frequency of use

Google Play IDs and Game Center IDs can possibly be stored to log you in to several devices.

If an error occurs during the use of our Services and we want to rectify this, we may also col-lect other data, e.g. Player ID and username.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is provided by Art. 6(1)(f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow delivery of the Services to the computer of the user. For this purpose, the user's IP address must be stored for the duration of the session.

The storage in log files is done to ensure the functionality of the Services. In addition, the data is used by us in order to optimise the website and to ensure the security of our information technology systems. Evaluation of the data for marketing purposes does not take place in this context. Only a statistical evaluation of datasets takes place.

InnoGames reserves the right to store IP addresses and log files for a maximum period of 30 days after the website is used to monitor compliance with the terms of use and rules of the game. In particular, this procedure is used to prevent any cases of abuse or to resolve them and, on a case-by-case basis, to pass on the data for this purpose to investigative authorities. Apart from that, any other analysis of data is done in anonymous form as much as possible. After the end of this period, the IP address and log files are completely deleted, unless there are mandatory statutory storage requirements or specific prosecution- and abuse investigation proceedings pending.

These purposes also constitute our legitimate and predominant interest in data processing according to Art. 6(1)(f) GDPR.

4. Storage duration

The data are deleted as soon as they are no longer necessary to fulfil the purpose of their collection. In the case when data are collected for the purpose of making the website availa-ble, this is the case when the respective session is over.

Log files which contain personal data are generally deleted after seven days at the latest. Ad-ditional storage is possible in the case of so-called error logs which allow us to fix errors. These error logs are deleted after maximum 30 days, collected IP addresses are anonymised after 30 days.

5. Possibility of objection and removal

The collection of data for the purpose of making the website available and the storage of the data in log files is essential for the operation of the website. As a consequence, there is no objection possibility on the part of the user.

VI. Inquiries via contact form, email, and support tool

1. Description and scope of data processing

a) Contact form

On our website, a contact form is available which can be used to contact us electronically. Should a user choose this option, the data entered in the input mask will be transmitted to us and stored. These data are:

Name

Email address

Message

Additionally, at the point of sending the message, the following data are stored:

IP address of the user

Date and time of submission

For the processing of the data, reference is made to this privacy policy in the context of the submission process.

b) Email

Alternatively, it is possible to contact us via our provided email addresses. In this case, the personal data of the user transmitted with the email are stored.

c) Support tool

Alternatively, you can contact us via our support tool integrated into our Service. It will then store your user data and the content of the support inquiry as well as the time of the inquiry.

No data are transmitted to third parties in this context. The data are used exclusively for the processing of the conversation.

2. Legal basis

Legal basis for data processing is Art. 6(1)(f) GDPR. If the e-mail contact is aimed to conclude a contract or serves the contract execution, additional legal basis for the processing is Art. 6(1)(b) GDPR.

3. Aim of data processing

The processing of the personal data serves us only to process the contact and the support request. The other personal data processed during the submission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Storage duration

The data are deleted as soon as they are no longer necessary to fulfil the purpose of their collection.

5. Possibility of objection and removal

At any time after contacting us, you have the option to object to personal data processing, regardless of whether this was done via a contact form, email or support tool. In such a case, the conversation cannot continue and your concern may not be conclusively handled. All per-sonal data stored in the course of contacting will be deleted in this case. This shall not apply if mandatory statutory retention requirements preclude this.

VII. Submission of newsletters

You can subscribe on our websites or in our games for a newsletter on the respective game. For this, we require your email address.

In addition, we must verify, taking into consideration the relevant legal regulations, that you are the actual owner of the provided email address and wish to receive the newsletter. For this purpose, we send you a validation email.

Our newsletters contain a pixel-size image (tracking pixels), which is retrieved by a server of the newsletter sender when the newsletter is opened. As part of this retrieval, technical information, such as information about your browser or operating system, as well as your IP address, location, and time of retrieval, is collected. This information is anonymised and evaluated independently of the individual.

Since the submission and receipt of the newsletter depend on your consent, you can revoke this consent for collection and storage of your data at any time without providing the reasons for it. For this purpose, use the unsubscribe link which can be found at the end of our newsletter.

Additionally, you have the option to opt-out of receiving newsletters in the Data Usage Window inside any of our games under “Settings”.

VIII. Submission of push notifications

1. Description and scope of data processing

If you have selected the appropriate settings on your device, InnoGames can send push notifications to your mobile device to give you updates for games and other relevant news. You can manage push notifications on the page “Options” or “Settings” in the mobile app or in the settings of your device.

2. Legal basis for data processing

The legal basis for data processing in the presence of a contract is according to Art. 6(1)(b) GDPR.

3. Purpose of data processing

Push notifications are special notifications which are displayed directly on your mobile device. The notifications contain, for instance, the information that one of your buildings in the game has been completed. As a rule, push notifications contain short messages which focus on the essential.

4. Storage duration

The messages are stored within our push gateway for up to 21 days. The messages are also stored in anonymised form in our event tracking system for an indefinite amount of time. To our knowledge, messages may be stored by the supplier of your mobile device.

5. Possibility of objection and removal

You can switch off the push notifications as follows:

a) Android

Open Settings > Apps & notifications > Notifications > App notifications > Name of the app. On this screen you can control if and how Push Notifications are shown to you.

b) iOS

Open settings > Notifications > Name of the app. On this screen you can control if and how Push Notifications are shown to you.

c) Data Usage Window

Additionally, you have the option to opt-out of receiving push notifications sent for marketing purposes in the Data Usage Window inside any of our games under “Settings”.

IX. Use of cookies

1. Description and scope of data processing

In order to ensure that you receive the most relevant information and the best service when you visit the Website, information and data will be collected through the use of cookies. It helps us (and other authorized third parties) to provide you with a personalized experience when you visit our Website, and it also allows us to improve our Service and make sure that you will easily find what you want. We want you to understand our use of cookies. Hence, we explain the types of technologies we use, what they do and your choices regarding their use.

Cookies are small pieces of data (text files) that are sent to your browser from a web server and stored on your device so that the website can recognize your device. There are two types of cookies, permanent and temporary (or “session”) cookies. Permanent cookies are stored as a file on your computer or mobile device for a longer period of time. Session cookies are temporarily placed on your computer when you visit our Website but are erased when you shut down the page. If you do not want to accept cookies, you can adjust the settings in your web browsers security preferences, see more information on this below.

We and our service providers may use the following categories of cookies:

a) Essential Cookies

These cookies are strictly necessary for us to provide our Services. For example, we may use these cookies to authenticate and identify our members when they use our Site so we can provide our Services. Without these cookies we would not be able to recognise you and you would not be able to access our Services. They also help us to enforce our Terms and Conditions and maintain the security of our Services.

b) Performance and Functionality Cookies

These cookies are not strictly necessary but allow us to personalize your online experience of our Site. For example, they allow us to remember your preferences and mean that you do not need to re-enter information you have already provided e.g. when signing-up to our Ser-vices. We also use these cookies to collect information (e.g. popular pages, viewing patterns, click-throughs) about our visitors' usage of our Services so that we can improve our Site and Services and conduct market research. If you choose to delete these cookies you will have limited functionality of our Services.

c) Advertising Cookies

These cookies use information about your usage of our Site and other websites, e.g. the pages you visit or your response to ads, to deliver ads that are more tailored to you, both on and off our Site. These types of ads are called “Interest-Based Advertising.” Many of these types of cookies belong to our service providers. For third party advertisers, see more below.

2. Legal basis for the data processing

The legal basis for personal data processing with the use of cookies is Art. 6(1)(f) GDPR.

3. Purpose of data processing

We use the information from cookies to make our Website user-friendly and to enable us to provide you with personalized recommendations. We may also use several authorized third parties who put cookies on our Website to deliver services that they provide (third party cookies).

We may use session cookies to allow you to move between pages on our Website without having to re-enter information.

Permanent cookies are used in several ways, including:

To allow you to move between pages on our Services without having to re-enter information.

To help us recognize you when you return to our Website to use our Services.

To allow you access to stored information.

To allow us to recommend other games that suit your preferences.

To ensure that you do not get asked to fill in survey forms repeatedly.

We (and our authorized third parties) may use non-personal information from both permanent cookies and session cookies for statistical purposes as follows:

To determine which are the most popular parts of our Services.

To monitor the use of our Services and our Website (frequency and time).

To provide anonymous information to third parties so that more appropriate advertising can be directed at you.

To track product success.

To determine how frequently you and other users visit our Services and your interaction in our games.

We set and read our own cookies to provide the following functions (first-party cookies):

a) Remember Me Cookie

To provide you with ‘remember me’ functionality: We allow users to log into the game via this cookie. This can be disabled by deselecting “Remember Me” on manual login. If you select the "Remember Me" function, a permanent cookie will be installed in the device you are using, so that you do not need to log in again when browsing the Services. If you log out of a Service, the cookie will be deleted again.

b) Language Version Cookie

To ensure the right language version of the game is shown to you.

c) Portal Cookie

To allow us to optimize our landing pages and improve our marketing: we store details of the landing page you visited as well as an identifier in a cookie.

d) 3rd Party Snippet Cookie

We set a cookie to record your decision about 3rd party tracking snippets and cookies.

We also use several third-party cookies as part of our Services. These cookies are governed by the respective sites and are not controlled by us. You can switch off the installation of some of these cookies in your general browser settings, for others you will need to go to the respective websites and follow the instructions provided.

For instance, it is checked which language version you use to access our Services. If you became aware of our Services through one of our partners, we store the information on who the partner is.

Third party advertisers: We may use advertisers, third party ad networks, and other advertising companies to serve advertisements on our Services. Please be advised that such advertising companies may gather information about your visit to our Services or other sites to enable such advertising companies to market products or services to you, to monitor which ads have been served to your browser and which webpages you were viewing when such ads were delivered. If you would like more information about third party advertisers, please click here. Please note that the collection and use of information by third party advertisers is not covered by this privacy policy.

In the abovementioned purposes, our legitimate interest also consists in personal data processing according to Art. 6(1)(f) GDPR.

4. Storage duration

The data are deleted as soon as they are no longer necessary to fulfil the purpose of their collection.

5. Possibility of objection and removal

If you do not want these cookies to be stored on your computer or wish to be informed of their storage, you can prevent the installation of cookies by a corresponding adjustment to your browser software by selecting the option "do not accept cookies" in your browser settings or declining the use of third party tracking on the first visit to the website. Your browser manufacturer's instructions will give you more details on how this works or see
https://www.aboutcookies.org.
You can also opt-out of receiving third-party cookies in general at
http://www.youronlinechoices.com.
However, we would like to point out that by preventing cookies, you may find that you cannot use all the website's functions to the full extent.

a) Android

Open the settings in your app list and tap on the “Ad” button. Once you have opened the ad window, you can disable the Google Advertising ID.

b) iOS

Open the settings on your mobile end device (e.g. iPhone or iPad) and select the menu option “Data protection”. Under the option “Advertising”, you can switch off the ad tracking.

c) Data Usage Window

Additionally, you have the option to opt-out of using third-party tracking in the Data Usage Window inside any of our games under “Settings”.

X. Transfer of personal data to third parties

InnoGames will only transfer your personal and/or billing-related data to third parties, in the sense of companies cooperating with InnoGames or external service providers, insofar as this is required for the fulfilment of the contract, for payment processing as well as for the pro-tection of other users and is legally permitted or prescribed.

This applies in particular to the processing of payments made via external service providers chosen by you (e.g. banks, credit card companies, payment service providers such as Al-lopass, Amazon, Apple, Boacompra, Facebook, Google, Boku Payments, DaoPay, HiPay, Mobiyo, PayPal, Samsung, Sofortüberweisung, Worldpay). Your legally protected interests will be considered in accordance with the statutory provisions. The external service providers are required to treat your data confidentially and securely and may only use your data to the extent necessary to fulfil their task.

In the event of payment delay, we may commission a debt collection agency or a lawyer to collect the outstanding debt. For this purpose, the necessary data will be passed on and used in compliance with all data protection guidelines.

In addition, your personal information will be shared if it is necessary to protect other users or to counter threats to state or public security or to prosecute criminal offences and if is permitted by statutory data protection provisions. Your protectable interests will be considered in accordance with the statutory provisions. Please note that InnoGames may be obliged to disclose data due to statutory provisions or, for instance, a judicial order (e.g. disclosure to investigative authorities). Disclosure always occurs only insofar as it is necessary and legally permitted or prescribed.

XI. Use of third-party login services (“social logins”)

1. Login via Facebook Connect

We offer you the possibility to log in to our services via Facebook Connect. This is a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). If you use it, additional registration is not necessary. To log in, you are redirected to the Facebook website where you can log in with your user data. This links your Facebook profile and our service. Through the link, we automatically receive information from Facebook. The following information is transferred to us: Email address

This information is mandatory for the conclusion of the contract in order to identify you. Further information on Facebook and privacy settings can be found in the data protection guidelines at:
https://www.facebook.com/about/privacy/update.

2. Login via Google Sign-In

We offer you the possibility to log in to our services via your Google account. This is a service of Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). If you use it, additional registration is not necessary. To log in, you are redirected to the Google website where you can log in with your user data. This links your Google profile and our service. Through the link, we automatically receive information from Google. The following information is transferred to us: Email address

This information is mandatory for the conclusion of the contract in order to identify you. Fur-ther information on Google and privacy settings can be found in the data protection guidelines at:
https://policies.google.com/privacy.

XII. Use of third-party analysis services

1. Adjust

a) Description and scope of data processing

We use mobile tracking technologies. For this we use the services of adjust GmbH, Saarbrücker St. 38a, 10405 Berlin, Germany. With the help of these services we collect statistical data about the use of our services to continually improve them. When you use our apps, your device sends us information that we collect and analyse. The following data is collected: IP address that is immediately anonymised, MAC address, anonymised Device ID (IDentifier For Advertisers - IDFA or Google Advertiser ID - GAID), browser type, language, Internet service provider, network status, time zone, access and exit page URL, time and date of access, clickstream data and other statistical information about the use of our services. There are no direct personal identifiers. The data collected in this way is used to create anonymous user profiles. The data collected with the tracking technology will not be used to personally identify the visitor of these websites without the express consent of the person concerned. For more information, please refer to the Adjust data protection policy at:
https://www.adjust.com/privacy-policy.

b) Legal basis for the data processing

The legal basis for this processing is Art. 6(1)(f) GDPR. We have entered into a data processing agreement with Adjust.

c) Purpose of the data processing

The purpose is to improve your user experience with our services and to make our offer more attractive to you. In addition, the data collected is used to analyse the performance of marketing campaigns and generate performance reports.

d) Storage duration

The data will be retained by us for the duration of use of the service and by Adjust for 28 days.

e) Objection and deletion

Data collection and storage can be halted at any time with future effect by configuring your mobile device as described above at IX.5.

2. Google Analytics

a) Description and scope of the data processing

This website uses the “Google Analytics” service, which is provided by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) for analysis of website usage by users. The service uses “cookies” - text files which are stored on your device. The information collected by the cookies is usually sent to a Google server in the USA and stored there.

IP anonymisation is used on this website. The IP address of users within the member states of the EU and the European Economic Area will be abbreviated. This abbreviation eliminates the personal reference to your IP address. Under the data processing agreement, which we have established with Google Inc., Google uses the information collected to analyse website usage and activity and to provide services related to internet usage.

b) Legal basis for the data processing

The legal basis for this processing is Art. 6(1)(f) GDPR. We have entered into a data processing agreement with Google.

c) Purpose of data processing

On our behalf, Google uses this information to analyse your website usage, to compile reports on website activity and to provide other services relating to website and internet usage. The IP address transmitted by your browser through Google Analytics is not amalgamated with other Google data.

d) Storage duration

The data will be retained by Google for 26 months; due to the abbreviation of the IP addresses, no personal data will be stored.

e) Objection and deletion

You have the option of preventing the storage of cookies on your device by configuring your browser accordingly. There is no guarantee that you will be able to access all functions of this website without restrictions if your browser does not allow cookies. Furthermore, you can use a browser plug-in to prevent the information collected by cookies (including your IP address) from being sent to and used by Google Inc. The following link takes you to the required plug-in:
https://tools.google.com/dlpage/gaoptout.

3. Hotjar

a) Description and scope of data processing

We use the services of Hotjar Ltd, Malta. This is an analysis tool that helps us to track how you use our website, such as how you navigate through our site. Among other things, Hotjar uses “cookies” (small text files that are stored on your display device) to perform the analysis. More information about Hotjar's cookies can be found here:
https://www.hotjar.com/cookies.
We have also embedded the Hotjar tracking code on our website, which is used for the collection of (i) device-specific data (i.e. collection and storage of the IP address in anonymised form, size of the device screen, device type and browser information, country as geographical location and preferred language when displaying a website) and (ii) log data (i.e. referring domain, visited page(s), country as geographical location and preferred language when displaying a website, date and time of website access). Hotjar also uses third-party services such as Google Analytics and Optimizely. More information about Hotjar's data protection services can be found here:
https://www.hotjar.com/privacy.

b) Legal basis for the data processing

The legal basis for this processing is Art. 6(1)(f) GDPR. We have entered into a data processing agreement with Hotjar.

c) Purpose of the data processing

The purpose is to improve your user experience with our website and to make our offer more attractive to you. If you do not wish to allow cookies, you can disable them (see above). If you register with us, your data will not be linked to your personal data.

e) Objection and deletion

XIII. Use of third-party advertising services

1. General information

The website may occasionally contain advertisements from third parties and interactive links to third-party websites for which we are not responsible. In particular, we have no influence whatsoever on the content and design of the external sites linked to the websites to which you may be directed via these sites. The respective providers are exclusively responsible for the content and design of these websites as well as compliance with data protection regulations. Advertisers occasionally use technologies that send advertisements that appear on our websites directly to your browser, automatically transmitting your IP address. The advertisers concerned sometimes also use cookies and other technical means to measure the efficiency of their advertising or to optimise their content. This applies in particular, but not exclusively, to the classification of websites to certain interest categories within the scope of your Internet use. No connection will be established between this information and your name, address, telephone number or email address. We have no influence on that. The handling of data by these third parties is therefore not covered by this data protection declaration. Therefore, please contact the respective provider directly for information on their data protection regulations. You can disable the use of cookies in your browser settings (see above).

We forward your anonymised Device ID (IDentifier For Advertisers - IDFA or Google Advertiser ID - GAID) to some of our marketing partners within and outside of Europe (e.g. in the USA), in order to generate advertising for certain user groups with the help of our partners or to exclude users from certain advertising efforts. You can revoke data collection, storage, and transfer by applying your mobile device settings as described above.

2. AppNexus

InnoGames uses the advertising display services of the external vendor AppNexus Inc., 28 West 23rd Street, 4th Floor, New York, NY 10010, USA,
https://www.appnexus.com („AppNexus“).
For this purpose, we have implemented the AppNexus tracking pixel (i.e. a code snippet) on our website. The tracking pixel allows players' actions to be tracked on our website. No personal reference is established. Only statistical information is collected and transmitted to Ap-pNexus. This is intended to optimise advertising campaigns and to broadcast advertisements of interest to Internet users. Should wish otherwise, you can disable the AppNexus tracking by tapping the opt-out button at
https://www.appnexus.com/en/company/platform-privacy-policy#choices.
For more information on data protection at AppNexus, please visit:
https://www.appnexus.com/en/company/platform-privacy-policy.

Facebook Pixel allows Facebook to identify the visitors of our online content as a target group for displaying advertisement (known as “Facebook ads”). Accordingly, we use Facebook Pixel to display our posted Facebook ads only to Facebook users who have shown an interest in our services or who share certain factors (such as interests in certain topics or products determined on the basis of visited web pages), which we transmit to Facebook (which is known as Custom Audiences). Facebook Pixel also helps us understand the effectiveness of Facebook ads for statistical and market research purposes, by showing whether users have been redirected to our services after clicking on a Facebook ad (known as conversion, and allowing to determine on which devices a user is performing an action), in order to create so-called lookalike audiences or statistical twins (i.e. to broadcast ads to target groups that are similar to existing customers) and to obtain comprehensive statistics about the use of the website. Facebook Pixel establishes a direct connection to the Facebook servers when you visit our website. This way, the Facebook server is notified that you have visited our website and Facebook assigns this information to your personal Facebook user account.

4. Google DoubleClick

DoubleClick is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). DoubleClick uses cookies to display advertisements relevant to you. Your browser is assigned an pseudonymised identification number (ID) to check which ads have been displayed in your browser and which ads have been interacted with. These cookies do not contain any personal information. The use of DoubleClick cookies only allows Google and its partner websites to display ads based on previous visits to our site or other websites on the Internet. The information generated by cookies is transmitted by Google to a USA-based server and stored for analysis. You can reject the use of cookies by selecting the appropriate settings on your browser. However, please note that this may limit the full functionality of our website for you. You can also prevent Google from collecting and processing cookie-generated data about your use of the website by disabling the use of cookies in your browser settings (see above). You can also opt out of the collection and categorisation of interest-based information by disabling it on the DoubleClick cookie settings page at:
https://support.google.com/ads/answer/7395996

XIV. Use of other third-party services

1. Episerver Campaign (formerly optivo Broadmail)

The e-mail addresses of our newsletter recipients and other data described in this notice are temporarily stored for this purpose on Episerver servers in data centres within Germany and are subject to the German Data Protection Act. Episerver uses this information to send and assess newsletters on our behalf. Episerver may also use this information to improve its own services, such as technically optimising newsletter dispatch and presentation. However, Episerver does not use the data of our newsletter recipients to write to them, and never forwards the information to third parties if not legally required. The security scheme of Episerver Campaign for the Omni channel and the email marketing cloud is ISO 27001 certified. For further information, please visit:
https://www.episerver.de/produkte/plattform/episerver-campaign/sicherheit.

Our newsletters contain a pixel-sized image (pixel code) that is retrieved by an Episerver server when the newsletter is opened. Technical information is collected as part of this retrieval, such as information about your browser or operating system, as well as your IP ad-dress, and the place and time of retrieval. This information is anonymised and assessed without personal information.

2. Google Maps

Our websites use maps from Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. When you access one of our pages featuring a relevant map, map content is retrieved from Google's servers. If you are signed in with your Google account, Google can merge your browsing behaviour with other information. The use of Google Maps is in the interest of an easy-to-understand representation of our Services. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. Google's data protection policy applies:
https://policies.google.com/privacy?hl=de&gl=de.

3. LinkedIn

Our websites use buttons from LinkedIn Corp., 2029 Stierlin Court, Mountain View, CA 94043, USA. The contents of LinkedIn servers are retrieved when you access one of our pages with a relevant button. If you are logged into your LinkedIn account, LinkedIn can merge your browsing behaviour with other information. The use of LinkedIn buttons is in the interest of exchanging information about our Services and improving them. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. LinkedIn's data protection policy applies:
https://www.linkedin.com/legal/privacy-policy.

4. Litmus

Litmus is a service provided by Litmus Software, Inc. (675 Massachusetts Ave., 10th Floor, Cambridge, MA 02139, USA) for analysing emails. The newsletters contain a pixel-sized image (pixel code) that is retrieved by a Litmus server when the newsletter is opened. Technical information is collected as part of this retrieval, such as information about your browser or operating system, as well as your IP address, and the place and time of retrieval. This information is anonymised and assessed without personal information.

5. Mailgun

Mailgun is a service provided by Mailgun, Inc. (620 Folsom St, Ste 100, San Francisco, CA 94107, USA) for sending our e-mails. This service may also collect information about the date and time when messages were read by the user and when the user interacts with incoming messages (such as by clicking on links contained in them). The company is a party to the Safe Harbour Agreement with the EU and is committed to upholding European data protection standards:
https://www.mailgun.com/privacy.

6. Pinterest

Our websites use buttons from Pinterest, Inc., 808 Brannan St, San Francisco, CA 94103, USA. The contents of Pinterest servers are retrieved when you access one of our pages with a relevant button. If you are logged into your Pinterest account, Pinterest can merge your browsing behaviour with other information. The Pinterest data protection policy applies:
http://pinterest.com/about/privacy/.

7. Twitter

Our websites use buttons from Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. The contents of Twitter servers are retrieved when you access one of our pages with a relevant button. If you are logged into your Twitter account, Twitter can merge your browsing behaviour with other information. The use of Twitter buttons is in the interest of exchanging information about our Services and improving them. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The Twitter data protection policy applies:
https://twitter.com/de/privacy.

8. YouTube

Our websites use videos from YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a company of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA. In doing so, we use the “Enhanced Data Protection Mode” option made available by YouTube. By loading one of our sites via a YouTube video, contents from YouTube will be loaded. If you are logged on to your YouTube account, YouTube shall have the possibility to amalgamate your navigation behaviour with other data. The use of YouTube videos serves the purpose of offering an easy-to-understand representation of our Services. YouTube’s privacy policies apply:
https://www.google.de/intl/de/policies/privacy/.

9. Xing

Our websites use buttons by Xing AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. By loading one of our sites via said buttons, contents from Xing will be loaded. To the best of our knowledge, no personal information is collected, and your navigation behaviour shall not be analysed. The data protection provisions for Xing’s buttons shall apply:
https://www.xing.com/app/share?op=data_protection.

XV. Rights of the data subject

If your personal data are processed, you are a data subject as defined by the GDPR, and you have the following rights before the controller:

1. Right to information

You can request the controller to provide you with a confirmation of whether personal data concerning you are being processed by us.

If such processing should exist, you can demand that the controller provide you with the following information:

the purposes toward which your personal data are being processed;

The categories of personal data which are being processed;

The recipients and/or the categories of recipients to whom the affected personal data has been- or continues to be disclosed;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data are not collected from the data subject, any available infor-mation as to their source;

the existence of automated decision-making, including profiling, referred to in Arti-cle 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such pro-cessing for the data subject.

You shall be entitled to demand information as to whether the personal data concerning you are being transferred to a third country or to an international organisation. In this regard, you can demand to be briefed on the applicable guarantees pursuant to Art. 46 GDPR associated to said transfer.

We shall respond to inquiries within a month upon receipt of the request.

2. Right to rectification

You also have the right to rectification and/or completion before the controller, provided that the processed personal data concerning you are incorrect or incomplete. The controller shall have the obligation to implement the rectification immediately.

3. Right to restriction of processing

Under the following circumstances, you may claim the restriction of the processing of the personal data concerning you:

if the accuracy of the personal data is contested by the data subject, for a period ena-bling the controller to verify the accuracy of the personal data;

if the processing is unlawful and you oppose the erasure of the personal data, request-ing that their use be restricted instead;

if the controller no longer needs the personal data for the purposes of its processing, but you require it for the assertion, exercise, or defence of legal claims; or

if you have filed an objection to the processing pursuant to Art. 21(1) GDPR, and it has not been yet determined whether the controller’s stated grounds outweigh yours.

If processing has been restricted, such personal data shall, with the exception of storage, only be processed either with your consent; for the purposes of asserting, exercising, or defending legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest of the Union or of a Member State.

If the processing restriction was imposed under any of the above circumstances, you will be briefed by the controller before the restriction is lifted.

4. Right to erasure

You shall have the possibility to erase your account yourself at:
https://goodbye.innogames.com/login.
We will then erase all your personal data, provided that we are not legally mandated to storing them. After one year of inactivity, we will also erase your account with us.

a) Obligation to erase

You have the right to claim that the controller erase all personal data concerning you without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

you have revoked your consent on the basis of which the data collection was ground-ed, Pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and no other legal grounds exist for their processing.

you file an objection to the processing, pursuant to Art. 21(1) GDPR, and there are no outweighing grounds for the processing, or you file an objection to the processing pur-suant to Art. 21(2) GDPR.

the personal data concerning you have been unlawfully processed;

the personal data concerning you have to be erased to comply with a legal obligation which requires processing under the laws of the European Union or the Member States, to which the processor is subject;

the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b) Information for third parties

If the controller has made public the personal data concerning you and is obliged, pursuant to Art. 17(1) GDPR, to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you, as data subject, have requested the erasure by said controllers of any links to, or copy or replication of, this personal data.

c) Exceptions

The right to erasure shall not apply whenever the processing is required for the purposes of:

exercising the right of freedom of expression and information;

complying with a legal obligation which requires processing under the laws of the European Union or the Member States, to which the processor is subject, or performing a task in the public interest or in exercise of public authority vested in the processor;

reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i), as well as Art. 9(3) GDPR;

archival, scientific, or historiographical research purposes serving the public interest pursuant to Art. 89(1) GDPR, provided that the deletion right described in paragraph (a) does not render impossible or impede the realisation of the objectives of the processing;

for the establishment, exercise or defence of legal claims.

5. Right to briefing

If you assert the right to rectification, erasure, or restriction of processing before the controller, the latter has the obligation to notify all recipients to whom the personal data concerning you were disclosed of this data rectification, erasure, or the restriction of its processing, unless this should prove impossible or associated with a disproportionate cost.

You have the right to be informed of these recipients by the controller.

6. Right to data portability

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, accessible, and machine-readable format. Furthermore, you have the right to transfer this data to another controller without restriction from the controller to whom the personal data had been provided, provided that

the processing is grounded on consent pursuant to Art. 6(1)(a) GDPR, or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and

the processing is carried out by automated means.

In exercising this right, you have the further right to request that the personal data concerning you be directly transferred by one controller to another, provided that this is technically feasible. The liberties and rights of other persons may not be compromised by these actions.

The right of data portability shall not apply to processing personal data which is required for the performance of a task carried out in the public interest or in exercise of public authority vested in the controller

7. Right to object

You have the right to object to personal data processing concerning you on grounds relating to your particular situation, at any time, on the basis of Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the assertion, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for said marketing purposes, including profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by using automated means which use technical specifications.

8. Right of withdrawal of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawal of consent shall not affect the lawfulness of data processing based on consent effective prior to its withdrawal.

9. Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you in a significant manner. The above shall not apply if the decision

is required for entering into, or performance of, a contract between yourself and a data controller,

is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

is made with your express consent.

Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9, Para. 1 GDPR, unless Article 9, Para. 2, lit. (a) or (g) applies and suitable measures are in place to safeguard your rights and freedoms and legitimate interests.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, entailing, at a minimum, the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if you consider that personal data processing relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

XVI. Final provisions

InnoGames may alter these data protection provisions at any time. InnoGames shall notify any such changes through appropriate channels.